Exploiting COVID-19: how threat actors hijacked a pandemic

Share with your network!

The global relevance of the COVID-19 pandemic created an environment primed for exploitation like none witnessed in the age of the cybercriminal. Adversaries of every sophistication level — advanced state-aligned groups, large and small-scale crime-motivated actors, fraudsters and spammers of every variety — all pivoted to make use of COVID-19 related content for their respective nefarious ends.

Proofpoint researchers have not observed the entire landscape pivot to using the same social engineering theme prior to COVID-19. Over 30 known threat actors and many more unattributed threat clusters tracked by researchers used COVID-19 themes in campaigns. But why was the pandemic such a compelling choice for threat actors?

Fundamentally, the fear, uncertainty, and doubt around COVID among people all over the world created conditions where training and diligence broke down. This presented an opening for threat actors to exploit people.  

Now in our third year living with COVID-19, we can look back and identify some key phases global societies moved through. Initial periods required a great deal of dissemination of policy changes across a broad spectrum of organizations including both country and local-level mandates as well as business-related guidelines. Lock down, economic stimulus, vaccine development and eventual deployment, the rise of variants creating new surges of illness – all these stages provided threat actors with the content needed to exploit the human condition and produce engagement with malicious content.

In this paper presented at the 2022 Virus Bulletin conference, we identified the following:

  • Threat actors are inherently opportunistic and will pivot to make use of what is perceived to be effective. The more relevant a topic is to a certain victim population, the greater the likelihood an actor targeting that population will attempt to exploit it. In the case of COVID-19, this was the entire world.
  • Regardless of whether an actor’s objective was to perpetrate small- or large-scale crime, espionage, or support other nation-state goals, COVID-19 provided a favorable backdrop by which to initiate operations.
  • COVID-19 impacted many spheres of personal and business relevance and threat actors were extremely versatile in their attempts to deliver social engineering content speaking to disruptions in essentially all of these spaces.
  • People are more likely to interact with content that is related to their Company Operations, including business continuity, human resources policies, or remote work programs.
  • Threat actors responded to major events in the COVID-19 pandemic including announcements of economic incentive programs and new variant strains with high infection rates and incorporated these themes into message lures.
  • Credential capture threats that mirror legitimate login portals from Microsoft and other organizations are effective at garnering engagement.
  • Based on click rate data, content using COVID-19 themes was more compelling than other lure types.

This paper examines the wide array of COVID-19 related content threat actors have leveraged, how that use evolved alongside real world conditions, and how it fits into the overall picture of the threat landscape since the beginning of 2020.

Download the report here